Re: EIGRP and OSPF Route Redistribution with VRF and Firewall

Cisco_User2 · ‎09-18-2018

Hi Team,

I have an environment set up pretty similar to the diagram below; (recreated in the lab for testing);

There are 3 routers (ROUTER1, ROUTER2, ROUTER3), and 2 Firewalls (FIREWALL1, FIREWALL2)

Interface G4 on ROUTER1 and ROUTER2 is in a separate VRF, which runs OSPF, and creates an OSPF adjacency to the Cisco ASA firewall.

The remaining interfaces on the router are not in a VRF, and routes are just populated in the global routing table. Interface G3 on the router forms an EIGRP adjacency to the firewall.

The firewall then does a redistribution from EIGRP<->OSPF and vice versa.

There is a GRE tunnel connecting ROUTER 1<->3 ROUTER 3<->2 ROUTER 1<->2

The link between ROUTER 1 and 3 is 1Mb, with 200ms latency.

The link between ROUTER 2 and 3 is 1Mb, with 200ms latency.

The link between ROUTER 1 and 2 is 100Mb with 20ms latency.

If i have all links, and all tunnels up, and I look at the routing table on ROUTER1, EIGRP routes the traffic destined for ROUTER 2, via ROUTER 3 (via the slow, latent links), If i turn off one of the Tunnels to router 3, then traffic routes directly to ROUTER2 (as expected)

Having a look at the EIGRP topology on ROUTER1 and ROUTER2, it appears that doing the redistribution between OSPF and EIGRP on the Firewall, basically sets a default value as the cost, rather than passing on the true costed value for the complete route (i guess by Cisco design)..

What I need is a way to configure the above network, so that traffic from ROUTER1 to ROUTER2, with go directly (via the firewalls), rather than the slow link via ROUTER3;

Relevant configs attached below;

ROUTER1

interface Loopback0
 ip address 5.5.5.1 255.255.255.255
!
interface Tunnel12
 description RTR1 to RTR2 (ospf)
 ip vrf forwarding INTERNAL
 ip address 20.1.1.1 255.255.255.0
 keepalive 10 3
 tunnel source GigabitEthernet5
 tunnel destination 172.1.1.2
 tunnel vrf INTERNAL
!
interface Tunnel13
 description RTR1 to RTR3 (eigrp)
 ip address 10.1.1.2 255.255.255.0
 delay 10000
 keepalive 10 3
 tunnel source GigabitEthernet2
 tunnel destination 172.2.1.1
!
interface GigabitEthernet3
 description RTR1 to FWL1 (eigrp)
 ip address 1.1.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet4
 description RTR1 to FWL1 (ospf)
 ip vrf forwarding INTERNAL
 ip address 1.1.2.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet5
 description RTR1 to RTR2
 ip vrf forwarding INTERNAL
 ip address 172.1.1.1 255.255.255.0
 negotiation auto
!
router eigrp 1
 network 1.1.1.0 0.0.0.255
 network 5.5.5.1 0.0.0.0
 network 10.1.1.0 0.0.0.255
 eigrp router-id 1.1.1.1
!
router ospf 1 vrf INTERNAL
 router-id 1.1.2.1
 network 1.1.2.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
!

ROUTER2

!
!
interface Loopback0
 ip address 5.5.5.2 255.255.255.255
!
interface Tunnel21
 description RTR2 to RTR1 (ospf)
 ip vrf forwarding INTERNAL
 ip address 20.1.1.2 255.255.255.0
 keepalive 10 3
 tunnel source GigabitEthernet5
 tunnel destination 172.1.1.1
 tunnel vrf INTERNAL
!
interface Tunnel23
 description RTR2 to RTR3 (eigrp)
 ip address 10.2.1.2 255.255.255.0
 delay 10000
 keepalive 10 3
 tunnel source GigabitEthernet2
 tunnel destination 172.3.1.1
!

interface GigabitEthernet2
 description RTR2 to RTR3
 ip address 172.3.1.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 description RTR2 to FWL2 (eigrp)
 ip address 2.2.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet4
 description RTR2 to FWL2 (ospf)
 ip vrf forwarding INTERNAL
 ip address 2.2.2.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet5
 description RTR2 to RTR1
 ip vrf forwarding INTERNAL
 ip address 172.1.1.2 255.255.255.0
 negotiation auto
!
router eigrp 1
 network 2.2.1.0 0.0.0.255
 network 5.5.5.2 0.0.0.0
 network 10.2.1.0 0.0.0.255
 eigrp router-id 2.2.1.1
!
router ospf 1 vrf INTERNAL
 router-id 2.2.2.1
 network 2.2.2.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
!

ROUTER3

interface Loopback0
 ip address 5.5.5.3 255.255.255.255
!
interface Tunnel31
 ip address 10.1.1.1 255.255.255.0
 delay 10000
 keepalive 10 3
 tunnel source GigabitEthernet2
 tunnel destination 172.2.1.2
!
interface Tunnel32
 ip address 10.2.1.1 255.255.255.0
 delay 10000
 keepalive 10 3
 tunnel source GigabitEthernet3
 tunnel destination 172.3.1.2
!
interface GigabitEthernet2
 description RTR3 to RTR1
 ip address 172.2.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 description RTR3 to RTR2
 ip address 172.3.1.1 255.255.255.0
 negotiation auto
!
router eigrp 1
 network 5.5.5.3 0.0.0.0
 network 10.1.1.0 0.0.0.255
 network 10.2.1.0 0.0.0.255
 eigrp router-id 10.1.1.1

FIREWALL1


interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 50
 ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif OUTSIDE-S
 security-level 50
 ip address 1.1.2.2 255.255.255.0
!
router eigrp 1
 eigrp router-id 1.1.1.2
 network 1.1.1.0 255.255.255.0
 redistribute ospf 1 metric 10000 10 255 1 1500
!
router ospf 1
 router-id 1.1.2.2
 network 1.1.2.0 255.255.255.0 area 0
 log-adj-changes
 redistribute eigrp 1 metric 10 subnets

FIREWALL2


interface GigabitEthernet0/2
 description FWL2 to RTR2 (eigrp)
 nameif OUTSIDE
 security-level 50
 ip address 2.2.1.2 255.255.255.0
!
interface GigabitEthernet0/3
 nameif OUTSIDE-S
 security-level 50
 ip address 2.2.2.2 255.255.255.0
!
router eigrp 1
 eigrp router-id 2.2.1.2
 network 2.2.1.0 255.255.255.0
 redistribute ospf 1 metric 10000 10 255 1 1500
!
router ospf 1
 router-id 2.2.2.2
 network 2.2.2.0 255.255.255.0 area 0
 log-adj-changes
 redistribute eigrp 1 metric 10 subnets

When all tunnels and interfaces are up; (you see EIGRP routes everything via ROUTER3 - not to ROUTER2 directly)

ROUTER1
ROUTER1#sh ip eigrp topology all-links
EIGRP-IPv4 Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 20.1.1.0/24, 1 successors, FD is 258816, serno 11
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 5.5.5.2/32, 1 successors, FD is 30848000, serno 38
        via 10.1.1.1 (30848000/28288000), Tunnel13
P 2.2.2.0/24, 1 successors, FD is 258816, serno 13
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 2.2.1.0/24, 1 successors, FD is 30720256, serno 37
        via 10.1.1.1 (30720256/28160256), Tunnel13
P 5.5.5.3/32, 1 successors, FD is 28288000, serno 29
        via 10.1.1.1 (28288000/128256), Tunnel13
P 5.5.5.1/32, 1 successors, FD is 128256, serno 24
        via Connected, Loopback0
P 10.2.1.0/24, 1 successors, FD is 30720000, serno 33
        via 10.1.1.1 (30720000/28160000), Tunnel13
P 1.1.2.0/24, 1 successors, FD is 258816, serno 2
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 1.1.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, GigabitEthernet3
P 10.1.1.0/24, 1 successors, FD is 28160000, serno 28
        via Connected, Tunnel13

When a link to ROUTER3 is down

ROUTER1#sh ip eigrp topology all-links
EIGRP-IPv4 Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 20.1.1.0/24, 1 successors, FD is 258816, serno 11
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 5.5.5.2/32, 1 successors, FD is 258816, serno 45
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 2.2.2.0/24, 1 successors, FD is 258816, serno 13
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 2.2.1.0/24, 1 successors, FD is 258816, serno 46
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 5.5.5.3/32, 1 successors, FD is 258816, serno 47
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 5.5.5.1/32, 1 successors, FD is 128256, serno 24
        via Connected, Loopback0
P 10.2.1.0/24, 1 successors, FD is 258816, serno 48
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 1.1.2.0/24, 1 successors, FD is 258816, serno 2
        via 1.1.1.2 (258816/258560), GigabitEthernet3
P 1.1.1.0/24, 1 successors, FD is 2816, serno 1
        via Connected, GigabitEthernet3
P 10.1.1.0/24, 1 successors, FD is 28160000, serno 28
        via Connected, Tunnel13

Your assistance is greatly appreciated!!

paul driver · ‎09-18-2018

Hello

I notice you have decreased instead of increased the delay values on the eigrp tunnels (R1,2,3). Was this to try and manipulate the routing path?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cisco_User2 · ‎09-18-2018

Yes - that was to try an manipulate it.. I left one of the "0's" off the delay value.. the delay should read 100000, to try and cost it higher..

This had no impact to the route selection.. It still went via the EIGRP path, rather than the shorter OSPF path

ulrickfr2001 · ‎09-19-2018

ulrickfr2001 · ‎09-19-2018

You said only G4 interfaces of R1 and R2 are in the vrf but it looks like some tunnels interfaces also are in the vrf.

ROUTER1

interface Loopback0
 ip address 5.5.5.1 255.255.255.255
!
interface Tunnel12
 description RTR1 to RTR2 (ospf)
 ip vrf forwarding INTERNAL
 ip address 20.1.1.1 255.255.255.0
 keepalive 10 3
 tunnel source GigabitEthernet5
 tunnel destination 172.1.1.2
 tunnel vrf INTERNAL

I think the issue is related to EIGRP internal and EIGRP ex.

could you provide the "show ip route ei" when interface to R3 is Up and when it is down?